SpringBoot的Session並發控制

⒈是什么？

　　即控制業務系統中一個用戶只能有一個Session

⒉解決方案

　　1.當這個用戶在其它地方登錄的時候，把之前的Session失效掉。

package cn.coreqi.security.config;

import cn.coreqi.security.Filter.SmsCodeFilter;
import cn.coreqi.security.Filter.ValidateCodeFilter;
import cn.coreqi.security.session.CoreqiExpiredSessionStrategy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;

    @Autowired
    private AuthenticationFailureHandler coreqiAuthenticationFailureHandler;

    @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;

    @Bean
    public PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
        validateCodeFilter.setAuthenticationFailureHandler(coreqiAuthenticationFailureHandler);

        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();


        //http.httpBasic()    //httpBasic登錄 BasicAuthenticationFilter
        http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加載用戶名密碼過濾器的前面
                .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加載用戶名密碼過濾器的前面
                .formLogin()    //表單登錄 UsernamePasswordAuthenticationFilter
                    .loginPage("/coreqi-signIn.html")  //指定登錄頁面
                    //.loginPage("/authentication/require")
                    .loginProcessingUrl("/authentication/form") //指定表單提交的地址用於替換UsernamePasswordAuthenticationFilter默認的提交地址
                    .successHandler(coreqiAuthenticationSuccessHandler) //登錄成功以后要用我們自定義的登錄成功處理器，不用Spring默認的。
                    .failureHandler(coreqiAuthenticationFailureHandler) //自己體會把
                .and()
                .sessionManagement()
                    .invalidSessionUrl("session/invalid")    //session過期后跳轉的URL
                    .maximumSessions(1) //配置最大的Session數量，即同一個用戶后面登錄所產生的Session之前登錄所產生的Session給失效掉
                    .expiredSessionStrategy(new CoreqiExpiredSessionStrategy())
                .and()
                .and()
                .authorizeRequests()    //對授權請求進行配置
                    .antMatchers("/coreqi-signIn.html","/code/image","/session/invalid").permitAll() //指定登錄頁面不需要身份認證
                    .anyRequest().authenticated()  //任何請求都需要身份認證
                    .and().csrf().disable()    //禁用CSRF
                .apply(smsCodeAuthenticationSecurityConfig);
            //FilterSecurityInterceptor 整個SpringSecurity過濾器鏈的最后一環
    }
}

package cn.coreqi.security.session;

import org.springframework.security.web.session.SessionInformationExpiredEvent;
import org.springframework.security.web.session.SessionInformationExpiredStrategy;

import javax.servlet.ServletException;
import java.io.IOException;

public class CoreqiExpiredSessionStrategy implements SessionInformationExpiredStrategy {
    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent sessionInformationExpiredEvent) throws IOException, ServletException {
        sessionInformationExpiredEvent.getResponse().setContentType("application/json;charset=UTF-8");
        sessionInformationExpiredEvent.getResponse().getWriter().write("並發登錄！");
    }
}

　　2.當這個用戶已經登陸了，禁止在其它地方登錄。

package cn.coreqi.security.config;

import cn.coreqi.security.Filter.SmsCodeFilter;
import cn.coreqi.security.Filter.ValidateCodeFilter;
import cn.coreqi.security.session.CoreqiExpiredSessionStrategy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;

    @Autowired
    private AuthenticationFailureHandler coreqiAuthenticationFailureHandler;

    @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;

    @Bean
    public PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
        validateCodeFilter.setAuthenticationFailureHandler(coreqiAuthenticationFailureHandler);

        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();


        //http.httpBasic()    //httpBasic登錄 BasicAuthenticationFilter
        http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加載用戶名密碼過濾器的前面
                .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加載用戶名密碼過濾器的前面
                .formLogin()    //表單登錄 UsernamePasswordAuthenticationFilter
                    .loginPage("/coreqi-signIn.html")  //指定登錄頁面
                    //.loginPage("/authentication/require")
                    .loginProcessingUrl("/authentication/form") //指定表單提交的地址用於替換UsernamePasswordAuthenticationFilter默認的提交地址
                    .successHandler(coreqiAuthenticationSuccessHandler) //登錄成功以后要用我們自定義的登錄成功處理器，不用Spring默認的。
                    .failureHandler(coreqiAuthenticationFailureHandler) //自己體會把
                .and()
                .sessionManagement()
                    .invalidSessionUrl("session/invalid")    //session過期后跳轉的URL
                    .maximumSessions(1) //配置最大的Session數量，即同一個用戶后面登錄所產生的Session之前登錄所產生的Session給失效掉
                    .maxSessionsPreventsLogin(true) //當一個用戶的Session數量達到最大數量以后，阻止后面的登陸行為
                .expiredSessionStrategy(new CoreqiExpiredSessionStrategy())
                .and()
                .and()
                .authorizeRequests()    //對授權請求進行配置
                    .antMatchers("/coreqi-signIn.html","/code/image","/session/invalid").permitAll() //指定登錄頁面不需要身份認證
                    .anyRequest().authenticated()  //任何請求都需要身份認證
                    .and().csrf().disable()    //禁用CSRF
                .apply(smsCodeAuthenticationSecurityConfig);
            //FilterSecurityInterceptor 整個SpringSecurity過濾器鏈的最后一環
    }
}